CVE-2017-15041

Name: CVE-2017-15041
Creator: NVD / NIST
Published: 2017-10-05T21:29:00.427+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 8.94%

Last modified Jun 17, 2026

CVE-2017-15041 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. EPSS estimates a 8.94% chance of exploitation in the next 30 days.

Description

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

8.94%

94.6th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Golang	Go	<= 1.8.3
Golang	Go	1.9
Debian	Debian Linux	9.0
Redhat	Developer Tools	1.0
Redhat	Enterprise Linux Eus	7.6
Redhat	Enterprise Linux Eus	7.7
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Aus	7.7
Redhat	Enterprise Linux Tus	7.6
Redhat	Enterprise Linux Tus	7.7

References

http://www.securityfocus.com/bid/101196Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:3463Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0878Third Party Advisory
https://github.com/golang/go/issues/22125Issue Tracking, Patch, Third Party Advisory
https://golang.org/cl/68022Issue Tracking, Patch, Vendor Advisory
https://golang.org/cl/68190Issue Tracking, Patch, Vendor Advisory
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJMailing List, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/201710-23Third Party Advisory
http://www.securityfocus.com/bid/101196Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:3463Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0878Third Party Advisory
https://github.com/golang/go/issues/22125Issue Tracking, Patch, Third Party Advisory
https://golang.org/cl/68022Issue Tracking, Patch, Vendor Advisory
https://golang.org/cl/68190Issue Tracking, Patch, Vendor Advisory
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJMailing List, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/201710-23Third Party Advisory

Timeline

Published: Oct 5, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-15041?

How severe is CVE-2017-15041?

CVE-2017-15041 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 8.94% probability of exploitation in the next 30 days.

How do I fix CVE-2017-15041?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-15041?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST